The Commerce Department's long-awaited domain name plan is available
[1]. It proposes transitioning authority to oversee domain naming,
the assignment of IP addresses, the registration of Internet
protocol and port numbers, and the management of root servers from
their current stewards (IANA and NSI ) to a new, US-based not-for-
profit corporation with an international board of directors, over a
period lasting from 6 to 30 months. The government contract with NSI
under which that corporation acts as both registrar and registry for
the existing global top-level domains (the proposal separates these
functions) will end on 1998-09-30, after a 6-month extension permitted
in the contract. NSI must hand over control of the root domain name
server at a "date certain" to be negotiated.

The plan suggests that 5 new registries be selected and chartered as
soon as possible by the Internet Assigned Numbers Authority. Each
new registry would be granted exclusive control over one new TLD .
The report solicits comments on what limitations might be placed on
the pool of applicants, if any. Applying registries would have to
meet technical, managerial, and legal criteria outlined in
appendices to the report -- in particular they would need to define
resolution processes in case of trademark disputes. Registries would be
required to offer equal and open access to all registrars worldwide.

Three other notable facets of the plan:

NSI gets to keep control of .com, .net, and .org. They have to
split off and "firewall" their registrar function for these
TLDs, and open up registrar access to them to others; but NSI
still emerges as the owner of the registry for these three
original TLDs. (The green paper states that responsibility for
.edu will be transferred to another not-for-profit ortanization;
rumors have circulated that this will be Educom.)

As of 1998-04-01 the government would stop collecting $30 of each
new NSI registrant's fee. (Of the $46M collected so far in the
Internet Intellectual Infrastructure Fund, half has been
allocated to the Internet II project and half is under dispute
in Federal court.) The report does not require NSI to drop its
initial registration fee from $100 to $70 after April 1, but
in my view the company is well advised to do so.

The underused .us TLD should be reexamined for possible
commercial use; perhaps .mil and .gov should be moved under it.

The existing process for reforming domain naming, CORE[2], is not
specifically mentioned in the government report, though many of the
green paper's ideas came from CORE ; in fact CORE is among the
biggest losers. The 88 entities around the world who each paid $10K to
become CORE registrars seem to be out of luck, as do the individuals
and companies who pre-registered names with the CORE registrars for
the seven new TLDs whose future is now clouded. Emergent, the
contractor with which CORE is working to build a registry database,
would also seem to be a loser under the government plan, though
presumably they have been paid for their work so far. Under the
green paper plan, CORE and Emergent could apply to become a
registry, but could only submit one of their proposed seven TLDs for
consideration. All in all, the government gives greater credence to
the companies that have lobbied to run registries for particular
new TLDs, such as Image Online Design for .web and Iperdome for
.per. But the green paper squelches the ambitions of those who
favor a free-for-all marketplace in which anyone could create new
TLDs.

I asked Dave Crocker, one of the original members of the
International Ad Hoc Committee that led to CORE , to comment on the
government green paper; his comments
[3] are posted on the TBTF archive
by permission.

The plan is being attacked as too US-centric
[4] by European
observers, who are especially invested in the Geneva-based CORE
process. TechWeb
[5] quotes David Maher, chair of CORE 's policy
oversight committee, as saying the Clinton proposal is "too
protective of NSI and other US interests." Maher said, "If this
is treated as a US solution to US problems, people outside
the US are not going to be happy. I think that's a very severe
limitation on the viability of the [proposal]."

Here are other comments
[6] by CORE on the green paper. Trademark
holders are not happy
[7]; they fear they will have to spend money
to deal with numerous disparate registrars in order to protect
their names.

A mostly sound summary of the user impacts of the green paper can
be found on the igoldrush site
[8].

The plan is open for comments (send to dns@ntia.dot.gov) until at least the
first week in March. The closing date for comments will be
determined when the paper is posted to the Federal Register this week.

Wired muses
[9] on the grand experiment in "freed software" on
which Netscape embarked last week
[10]. It's an open question
whether Netscape can engage developers enough to halt Navigator's
slide in the browser standings, let alone whether the company will
be successful in "herding the cats" on such a scale. (The
question of whether Netscape will ever make money, albeit indirectly,
from the giveaway is even more tenuous.) Advice should be easy to
come by; I'm sure the central figures in the Linux, perl, and
Apache worlds would be happy to offer guidance if asked. If fact
Netscape has requested the councel of Eric S. Raymond
<esr at snark dot thyrsus.com>, author of the influential paper The Cathedral and the
Bazaar
[11], on licensing terms, development models, developer
relations, and so on. (Raymond hints that he has been asked to meet
with other Silicon Valley CEOs on the same trip.)

The free software phenomenon is big and growing fast. It's
inherently difficult to estimate the size of the Linux market because
there is no central body controlling its distribution, and because
the software is available for free download from numerous sites
around the world.

First some recent numbers on the commercial competition. A new IDC
study
[12] indicates that Windows NT shipments outpaced commercial
Unix in 1997. Windows NT grew at 78% year-on-year, while Unix grew
at 15%. The numbers below presumably refer to installations of
NT Server, though the news.com article does not make a distinction
with NT Workstation.

OS thousands
NT Server 1300
NetWare 900
Comm'l. Unix 717
OS/2 226

In a SunWorld Online article
[13] on Linux support by Red Hat, one
of the Linux resellers, an IDG analyst estimated 1997 Linux
installations at 2 to 6 million, putting Linux on a par with the Macintosh:

OS millions
NT Workstation 7+
Linux 2 - 6
MacOS 3.8
OS/2 1.2

(Another SunWorld article profiles Linux use in the business world
[14]. Note especially the sidebar case study of a system
administrator who runs 72 print stations worldwide on Linux.)

An often-quoted source of Linux numbers is a year-old white paper
[15] by Bob Young, CEO of Red Hat. Young notes surveys by Unix
magazines that point to anywhere from 10% to
34% of their readers using Linux. Here are Young's estimates of the
number of Linux systems extant through 1996:

End of
year millions
1993 0.1
1994 0.5
1995 1.5
1996 3 - 5

In the SunWorld Online piece
[13] Red Hat's PR director estimates
that in 1997 there were between 5 and 7 million Linux systems
operating.

Let's work our way to a new estimate of the 1997 Linux population by
other means. At a talk last week by Red Hat staffers at Softpro
[16],
Donnie Barnes estimated that 400K Red Hat CDs will be sold in 1998.
In another context he mentioned that each major release has sold
roughly twice as many copies as its predecessor. Taken together
these factoids lead to a rough guess of 200K CDs sold in 1997.
Figures from Softpro indicate that for 1997 the sales of all other
Linux CDs combined added up to about 25% of Red Hat sales. Softpro
doesn't carry all the avaliable CDs; in particular some brands that
are big sellers in Europe are not represented. So let us hazard an
estimate of 300K Linux CDs sold worldwide in 1997.

FTP downloads outnumber Linux CD sales, according to an ongoing
survey at the Linux Counter
[17] site. These data stretch back to
1994 and so obscure the increasing popularity of the Linux CD
products. If we assume that FTP downloads outnumbered CD sales by 3
to 1 in 1997, we arrive at about 1.2 million Linux media kits. CDs
typically get used for more than one installation, either by the
purchaser or by someone she passes it to (there being no
restriction on multiple use, of course). In the extreme case a system
administrator might install scores of Linux machines from a single
CD or FTP download
[14]. If we assume the multiple-use multiplier
is 5 or more, we're in the realm of Red Hat's estimate of 5 to 7
million total Linux systems in 1997.

The company responds, though not officially, to a claim of basic security weaknesses

Microsoft has issued a reply
[18] to the Peter Gutmann article
[19],
[20] claiming basic weaknesses in Microsoft's handling and storage
of cryptographic keys. It clears up some possible misunderstandings
by Gutmann about which technologies are implemented in which
Microsoft products, but to my reading does not address the basic
vulnerabilities he outlines. The defense consists of assertions that real
users wouldn't leave exported keys lying around on their hard disk
(uh huh), that security is constantly being improved in Microsoft
products (true but not helpful now), that the weaknesses apply only
to Microsoft's "base" crypto implementations and not to any
third-party package (so?), and that users shouldn't run an unknown applet
that could mount these attacks in the first place. Microsoft's
rebuttal correctly points out that security is as much a matter of
policy and follow-through as of technology. But it's not too much
to ask that the base crypto technology, which will end up being used
out-of-the-box by the vast majority of Microsoft's customers,
provide meaningful assistance to less knowledgable users in following
sound security policies. For example the software shouldn't accept
an easily-guessed password that can trivially be broken in a
dictionary attack.

In other news, Microsoft has posted a patch
[21] to fix the mk://
vulnerability reported in TBTF for 1998-01-19
[22].

What used to be good advice about cross-platform color no longer works

This story is not news to those engaged in building cross-platform,
cross-browser Web sites. The so-called "browser-safe palette"
[23],
a set of 216 colors which since the days of Netscape Navigator 2
has offered the best chance to get Web pages looking the same in
Netscape and IE browsers, on Windows, Unix, and Macintosh, no longer
works reliably in Communicator 4. For reasons unknown Netscape
has changed the browser's dithering algorithms. The results are
spelled out in all their unpretty detail on this site
[24], whose
principals have had no luck at all in getting Netscape to take
this problem seriously.

This censorware is not only overbroad, it's also certifiably brain-dead

In TBTF for 1997-12-24 we looked at the broad-brush way Cyber Patrol
blanks out large (and usually innocuous) swaths of the Internet.
Now here's a look at CyberSitter which, besides being similarly
overbroad, works its protective magic in a singularly deranged
fashion.

A note on a mailing list for PerForce, a code source control
product, reported a strange problem. When viewed from a particular NT
machine, and only from there, two lines of code that should read:

#define one 1 /* foo menu */
#define two 2 /* bar baz */

were always corrupted so as to read:

#define one 1 /* foo me */
# fine two 2 /* bar baz */

It turns out that CyberSitter had been
installed on that one NT machine. CyberSitter apparently works by
patching the TCP drivers and watching the data flow over every IP
connection, filtering out bad words. In the code fragment above,
CyberSitter detected the word "nude" -- never mind the punctuation
characters and the end-of-line -- and removed it from the stream.

This site
[25] reproduces what it claims is the entire censor file
for CyberSitter, reverse engineered from the product. Thanks to Dan
Kohn <dan at teledesic dot com> and Keith Bostic <nev at bostic dot com> for news
on this piece of bad software (and social) engineering.

Lawmen's use of the spectres of international terrorism, money
laundering, drug dealing, and child pornography to curb the
freedoms of the Net is an old story in the USA. Now it seems
that such lawmen are getting to European politicians as well
[29].
A meeting of EU ministers in Birmingham, UK concluded that law
enforcement should be given new powers to tap into email and
electronic messaging. With appropriate safeguards, or course,
dear boy. Britain is using its rotation in the EU presidency
to push the establishment of a pan-European police force to be
called Europol, and this body would serve as a fine
clearing-point for intercepted cross-border messages.

It was the summer of 1995 when TBTF first noted
[30] the urban
legend of the RSA tattoo that would render its wearer
deportation-proof. Now Keith Bostic <nev at bostic dot com>
forwards this photo
[31] of Richard White's bio-munition which, if photographs are to
be believed, gives new meaning to the phrase "arms race."
Though perhaps the perl should have been
rendered in barcode to make it machine readable.

A flurry of messages flew across the NANOG mailing list -- a
vehicle by which North American network operators keep the
Internet running -- yesterday evening: a massive fiber cut had dropped
Europe out of sight from many east coast US locations. The
explanation came in due course:

FYI a train derailment between Newark NJ and NY cut many fiber
bundles, and completely isolated Worldcom Switch #14 as well
as affecting several other carriers very severely.

Unlike last year's Summer of the Backhoe
[26],
[27], this outage
resulted directly from the long-haul carriers' propensity
[28]
for laying fiber in railroad trackbeds.

Notes

Have you visited Siliconia
[32] lately? The Net's premier collection
of Silicon Whatever appelations now features 43 Siliconia
associated with 55 locations around the world. And the page sports
new, bespoke Siliconia artwork, courtesy of the talented CobraBoy
<tbyars at earthlink dot net>.

Did you know? The Details page
[33] lists all manner of fascinating
minutiae about TBTF, including privacy and anti-spam policies,
trends, emendations, credits, some history, and the tools I use
to develop and maintain the site.